In recent years, RPC endpoints in blockchains became pivotal elements and instruments for dApps building. At the same time, even reputable protocols and services are still losing money and data due to issues with API and RPC endpoint security.
What is RPC in blockchain?
In the segment of blockchain-based apps or decentralized applications (dApps), RPC (short for “remote procedure call”) is a crucial communication mechanism that allows developers to interact with the blockchain network and access its data and functionalities (transactions, swaps, token minting, and so on).
RPC enables dApps to make requests to a remote node (server with installed and synchronized software client) that is connected to the blockchain. This opportunity is an essential part of the dApp’s frontend/backend synergy.
In modern dApps, the client (usually a web or mobile app) needs to interact with the blockchain network, which is maintained by nodes. The client sends RPC requests to a remote node.
Let’s check out some basic examples of how RPC mechanisms work in dApps:
- Accessing blockchain data. Through RPC, the dApp can retrieve blockchain data, such as transaction history, smart contract states, account balances, and more. This data is crucial for displaying information and making informed decisions within the dApp.
- Sending crypto transactions. RPC also allows the dApp to send transactions to the blockchain. For example, users can initiate token transfers, execute smart contracts, or perform other blockchain actions through the dApp’s interface.
- Checking security status and permissions. RPC endpoints may require authentication and authorization to ensure that only authorized users or dApps can access them. This adds a layer of security to the interactions.
Technically, RPC calls are made using APIs (application programming interfaces), which provide a structured way to interact with the blockchain. Ethereum, for instance, has JSON-RPC API endpoints that dApps use to send requests and receive responses.
Accessing Ethereum via RPC endpoint: Step-by-step manual
Let’s check out the sample of requests and responses through Ethereum RPC endpoints. In this experiment, we’re going to find out the information about the Ethereum block by its number.
- We need to send such a request via curl:
curl -X POST –data ‘{“jsonrpc”:”2.0″,”method”:”eth_getBlockByNumber”,”params”:[“0x2″, false],”id”:1}’ https://go.getblock.io/cb2fabd1c14776f61c104d1e9e1df692/
In this request:
“jsonrpc”:”2.0” specifies the JSON-RPC version of API interface;
“method”:”eth_getBlockByNumber” indicates the Ethereum API method (standardized command) to fetch block information by block number;
“params“:[“0x2”, false] includes the block number you want to retrieve (0x2 in this example for the latest one), and false indicates that you want to get the full block information;
“id”:1 is a unique identifier for the request.
Replace https://go.getblock.io/cb2fabd1c14776f61c104d1e9e1df692/ with your actual GetBlock API endpoint address.
- We will receive the following response from Ethereum blockchain:
{
“jsonrpc”: “2.0”,
“id”: 1,
“result”: {
“difficulty”: “0x31962a3fcf400”,
“extraData”: “0x506172697479”,
“gasLimit”: “0x79f39b”,
“gasUsed”: “0x79f39b”,
“hash”: “0xd99c547be5b3f5ee58119b3b3e67a7de0de239e32a01beffbdb5832930149aa7”,
“logsBloom”: “0x4d6e84”,
“miner”: “0x61C808D82A3Ac53231750daDc13c777b59310bD9”,
“mixHash”: “0xc65de0ee36d7f607b755a70e4e8ac81a0e3d2d353a7b832”,
“nonce”: “0x9402e2c4f59f01d8”,
“number”: “0x2”,
“parentHash”: “0x964de4a8b0d7d26626d71f91e2104b8a404f5c856fa1075bc3134a0ebfcad2a5”,
“receiptsRoot”: “0x22c42e63a7c5e89c58e9cf3623a8dd116b61f793c80fae8dd39b3e7b4a20809e”,
“sha3Uncles”: “0x1dcc4de8dec75d7aab85b567b6ccd41ad312451b948a7413f0a142fd40d49347”,
“size”: “0x220”,
“stateRoot”: “0xf1130b1afd6741e7d28f8e46a28af084b83321d12de2d6c5cc01629aa1e08b32”,
“timestamp”: “0x55ba467c”,
“totalDifficulty”: “0x9866f55b4721”,
“transactions”: [
{
“blockHash”: “0xd99c547be5b3f5ee58119b3b3e67a7de0de239e32a01beffbdb5832930149aa7”,
“blockNumber”: “0x2”,
“from”: “0x61C808D82A3Ac53231750daDc13c777b59310bD9”,
“gas”: “0x15f90”,
“gasPrice”: “0x430e23400”,
“hash”: “0xd1f35e61a6a68699a956567ba9ee6740df94f1295ef3f207c1d92f3a4ee37867”,
“input”: “0x”,
“nonce”: “0x0”,
“to”: “0x7f04d64e3f5b99a541561e5ea443383c3e8950a4”,
“transactionIndex”: “0x0”,
“value”: “0x2d1a94e0b8be40000”,
“v”: “0x1b”,
“r”: “0x55fba72bdc49b4bf76d062edd4306825b0f6d984dc199f71ff9ce9e3a9c8971”,
“s”: “0x4ae4ae30c1e84e45ea89b3fcdbb1d6de8752d7e4e5aa162863e5b098d98be41f”
}
],
“transactionsRoot”: “0xd25f9be0c7ff61a6f157a0a70bcce50f2006f29b4d6bc291b501e193d73a112f”,
“uncles”: []
}
}
This response includes various details about the Ethereum block, including the block’s difficulty, gas limits, miner, transactions, and more.
That’s how, knowing only the number of certain blocks, we can retrieve full technical details about it from the blockchain without third-party involvement.
What are private RPC nodes?
In their operations, blockchains rely on distributed infrastructure of nodes. In general, there are three types of nodes: light nodes, full nodes, and archive nodes. Each type is responsible for its own scope of operations and requires its unique combination of software and hardware components.
| Light | Full | Archive | |
| Role in blockchain | Only reads the data | Reads and writes the data, accesses latest blocks | Reads and writes the data, accesses all blocks from the genesis one |
| Hardware requirements | Mainstream devices | Servers | High-performance servers |
| Synchronization time | Minutes | Hours | Hours or days |
| Who uses | Wallets | All types of dApps | Sophisticated dApps for analytics: trackers, explorers, and so on. |
As such, to run any type of blockchain-based application – DeFi protocol, blockchain game, trading bot – Web3 teams need a reliable connection to full or archive nodes. They can run blockchain nodes by themselves, but it takes significant effort: hardware leasing, a DevOps team, 24/7 monitoring, and so on.
Instead, they can connect dApps to private RPC nodes by blockchain node provider. In this case, a product team is responsible for all nodes “legwork”, and the dApp just connects to blockchains via endpoints (as we displayed above).
GetBlock is one of the leading RPC node providers: it supercharges dApps with stable and fast connection to 50+ blockchains, including all leading L1s and L2s. Free and paid plans are available to its users. Also, GetBlock was the first Blockchain-as-a-Service node provider to add MetaMask authorization. Infura, Alchemy, and Quicknode are the most popular of GetBlock’s competitors.
Security tips for RPC nodes users
While normally, building with BaaS RPC nodes is more resource-efficient than running own blockchain nodes or using public RPC endpoints, customers of such nodes should be aware of basic security rules.
Access control and authentication
Users should always implement strong access controls and authentication mechanisms for all used RPC nodes. Firewalls, IP whitelists, and authentication protocols are necessary to ensure that only authorized users and applications can interact with private nodes. Access to trusted entities and regularly review access permissions should be limited.
Encryption for data transmission
Encryption for data transmission between your RPC node and client applications should also be enabled. Secure protocols like HTTPS or SSH are required to protect sensitive data from interception and eavesdropping. Data exchanged between dApp-associated nodes and external sources should also be encrypted to safeguard confidentiality.
Regular updates and patching
RPC node software should be up to date with the latest security patches and releases. Vulnerabilities can be exploited by attackers, so promptly applying patches helps protect a node from known security issues. Official channels and communities for software updates and security advisories should be monitored.
Stringent rate limiting and monitoring
Reasonable rate limiting should be implemented to prevent abuse and potential denial-of-service attacks on your RPC node. Monitor incoming requests and set limits on the number of requests per second to mitigate the risk of overload. Set up monitoring and alerting to detect unusual or suspicious activity promptly.
Logging and auditing
Enable comprehensive logging and auditing of RPC node activities. Maintain logs of all incoming requests, responses, and interactions to aid in diagnosing issues and identifying security incidents. Regularly review and analyze logs to detect and respond to any anomalies or unauthorized access attempts.
By following these security tips, users of RPC nodes can help safeguard their blockchain infrastructure and data from potential threats and vulnerabilities, ensuring the integrity and security of their blockchain interactions.
Wrapping up
RPC endpoints are crucial elements of blockchain infrastructure. Private RPC nodes streamline the process of dApps development and dramatically reduce the costs of crypto app building.
While working with RPC endpoints, dApps should implement basic security techniques to avoid being hacked or manipulated. dApps team need to control the authentication security, implement encrypted communications, update software regularly, check out rate limits and have all activity on RPC endpoints logged.
